Efecte | Data processing addendum

BY ACCEPTING THIS DATA PROCESSING ADDENDUM OR ACCESSING OR USING THE SERVICE, YOU ARE AGREEING TO THE TERMS AND CONDITIONS OF THIS DATA PROCESSING ADDENDUM.

IF YOU ARE USING ANY CLOUD OR PROFESSIONAL SERVICES PROVIDED BY EFECTE AS AN EMPLOYEE, AGENT, OR CONTRACTOR OF A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. THE RIGHTS GRANTED UNDER THIS AGREEMENT ARE EXPRESSLY CONDITIONED UPON ACCEPTANCE BY SUCH AUTHORIZED PERSONNEL.

This Data Processing Addendum (“DPA”) is entered into by the Parties set out below in connection with the Agreement, including the Terms of Service, under which Efecte provides services, systems, any deliverables or other activities to the Customer through a Partner, including agreements under which Efecte provides Cloud and/or Professional Services (all such agreements jointly the “Agreement”). This DPA forms an integral and inseparable part of the Agreement and specifies the obligations of the Parties when Efecte is acting as Processor on behalf of the Customer.

Efecte may modify this Data Processing Addendum by notifying the Customer in writing at least 30 days in advance.

The “Effective Date” of this DPA is the date which is the earlier of (a) Customer’s initial access to any Cloud Service through any online provisioning, registration or order process or (b) the effective date of the first Purchase Order, as applicable, referencing this DPA.

This DPA is entered into by and between Efecte Finland Oy, a limited liability company established under the laws of Finland (“Efecte" or “Processor”) and the person or entity placing an order for or accessing any Cloud Services or Professional Services from Efecte through an authorized Partner (“Customer” or “Controller”). Processor and Controller are individually referred to as “Party” and collectively as “Parties”. In consideration of the terms and conditions set forth below, the parties agree as follows:

1 Definitions

1.1 Unless otherwise expressly agreed herein, the definitions set forth in the Agreement shall apply. In case a definition provided in this DPA and a definition provided in the Agreement the definition provided in this DPA shall prevail.

"Data Protection Regulation” means the applicable laws relating to protection of personal data, including without limitation the laws implementing Directive 2002/58/EC, the GDPR and any amendments thereto.

“Data Subject” means a natural person whose Personal Data is processed by Efecte under the Agreement and this DPA.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 and any amendments thereto.

“Partner” means the legal entity identified as the reseller of Cloud Services or Professional Services in the Agreement.

“Personal Data” means any information relating to an identified or identifiable natural person, and which Efecte is processing under the Agreement or otherwise, and of which the Customer is a Controller.

“Personal Data Breach” means a breach of security leading to destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, which is adverse to this DPA or Data Protection Regulation or otherwise unlawful.

“Services” means the services, systems, any deliverables and other activities supplied by or on behalf of Efecte to the Customer pursuant to the Agreement.

“Controller”, “Processor”, “Process”, “Processing” and “Supervisory Authority” shall have the meaning set forth in the GDPR.

2 Purpose, scope and nature

2.1 This DPA sets out the terms and conditions for the Processing of Personal Data by Efecte on behalf of the Customer under the Agreement for the purpose of providing the Services to the Customer through a selected Partner of Efecte (the “Purpose”).

2.2 The subject matter of the Processing is the Customer’s Personal Data as set out in the Agreement, this DPA and other appendices.

2.3 Personal Data may comprise of a) Customer’s Personal Data; or b) Customer’s Customers’ Personal Data. Personal Data may include also other types of data if required by the Purpose of the Processing agreed between the Parties.

3 Customer's general responsibilities

3.1 The Customer shall be responsible for complying with Data Protection Regulation and requirements relating to it.

3.2 This DPA together with the Agreement constitutes the Customer's complete written instruction to Efecte given by the Customer its role as the Controller. The Customer may issue new documented instructions or amend the instructions set out herein subject to a written agreement between the Parties. Efecte shall have the right to charge for additional costs arising from complying with new or amended instructions from the Customer.

4 Efecte's general responsibilities

4.1 Efecte shall process Personal Data in compliance with Data Protection Regulation and the documented instructions from the Customer, unless prescribed otherwise by a provision of Data Protection Regulation applicable to Efecte.

4.2 Efecte shall ensure that members of Efecte's staff with access to Personal Data have committed to an appropriate confidentiality obligation.

4.3 Efecte shall, taking into account the information available to Efecte, provide reasonable assistance to the Customer in responding to requests for exercising the rights of Data Subjects where the Customer does not have the needed information.

4.4 Efecte shall, taking into account the information available to Efecte, provide reasonable assistance to the Customer in ensuring the Customer's compliance with its obligations set out in Data Protection Regulation relating to data security and data protection impact assessments.

4.5 Efecte shall make available to the Customer all information necessary to demonstrate compliance with obligations set out in this DPA and in Data Protection Regulation. The Customer shall keep all such information confidential.

4.6 Efecte shall have the right to charge the Customer for costs and expenses that were incurred as a result of complying with clauses 5.3 – 5.5.

5 Data security

5.1 Efecte shall implement technical and organisational measures to ensure an appropriate level of security to protect Personal Data against unauthorised access and loss, destruction, damage, alteration or disclosure, or against other unlawful Processing.

5.2 Efecte shall notify the Customer of all Personal Data Breaches without undue delay after Efecte has become aware of the Personal Data Breach. The Personal Data Breach notification shall contain the following:

5.2.1 description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;

5.2.2 name and contact details of the contact person of Efecte handling the Personal Data Breach;

5.2.3 description of likely consequences and/or realised consequences of the Personal Data Breach; and

5.2.4 description of the measures Efecte has taken to address the Personal Data Breach and to mitigate its adverse effects.

5.3 If it is not possible to provide the information listed at the same time, the information may be provided in phases.

5.4 Efecte shall document Personal Data Breach and disclose the documentation to the Customer.

5.5 After Efecte has become aware of the Personal Data Breach, Efecte shall ensure security of Personal Data and take appropriate measures to ensure protection of Personal Data in cooperation with the Customer.

Company name	Business ID	Scope of processing	Country	Address
Equinix (Finland) Oy	0109023-9	Data center and capacity services	Finland	Hiomotie 32, 00380 Helsinki
giosg.com Oy	2388009-8	Multiroom chat provider	Finland	Valimotie 21, 00380 Helsinki
Applixure Oy	2507933-3	Applixure IT monitoring and management software provider	Finland	Arabiankatu 12, 00560 Helsinki
HiQ Finland Oy	0648086-9	Integration project consultancy and capasity services related to Efecte Integration Service	Finland	Tekniikantie 14, 02150 Espoo
Signicat AS	2521896-2	Provider of strong authentication services	Finland	Linnoitustie 4 B, 02600 Espoo
Userlane GmbH	HRB 226565	Digital assistant and automatic instructor	Germany	St-Martin Strasse 102, 81669 Munich
Facit Fixit GmbH	HRB 106098	Consultancy and project management of delivery and change projects regarding Device42	Germany	Vincent-van-Gogh-Strasse 13, 66564 Ottweiler
ICT Elmo Oy	1605624-4	Consultancy for delivery and transformation projects and provider of internal IT for Efecte	Finland	Patamäenkatu 18, 33900 Tampere
Innofactor Software Oy	1639021-8	Consultancy and project management of delivery and change projects	Finland	Keilaranta 9, 02150 Espoo
Innofactor AS	998784832	Consultancy and project management of delivery and change projects	Norway	Schweigaardsgt. 16, 053 Oslo
Notkia IT Oy	2338260-3	Delivery and change projects consultancy	Finland	Perttiläntie 68, 61500 Isokyrö
Softico Oy	2642182-3	Delivery and change projects consultancy and integration consultancy	Finland	Yrjönkatu 11 D 18, 00100 Helsinki
Tribone Oy	3298336-3	Consultancy and project management of delivery and change projects	Finland	Nuijamiestentie 5 A, 00400 Helsinki
Virnex Oy	2324014-6	Delivery and change projects consultancy and integration consultancy	Finland	Huopalahdentie 24, 00350 Helsinki
Seadot AB	556564-3482	Consultancy and project management of delivery and change projects	Sweden	Bonäs 12, 75591 Uppsala
UpCloud Oy, only for customers of Requeste solution	2431560-5	Data center and capacity services	Finland	Aleksanterinkatu 15 B, 00100 Helsinki

6.2 The Parties may at any given time update the list of accepted set out in Section 6.1 subcontractors by agreeing on the amendment in writing via e-mail.

6.3 Efecte shall notify the Customer about an addition of a subcontractor Processing Personal Data under this DPA at least fourteen (14) days before the subcontractor begins the Processing. If the Customer objects, the Customer shall have the right to terminate the Agreement by written notice before the effective date of the change.

6.4 Efecte shall take appropriate measures to ensure that its subcontractors are subject to equivalent requirements regarding confidentiality and security, as set out in this DPA. Efecte is responsible for the performance of its subcontractors as it is responsible for the performance of its own obligations.

8 Liability

8.1 Efecte shall be liable under this DPA only for direct damages and where it has not complied with the obligations of the GDPR specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller. Efecte’s total aggregate liability under and in relation to this DPA shall not exceed an amount equal to the fees paid by the Customer to Efecte under the Agreement during the 12 months immediately preceding the event giving rise to the liability.

8.2 Notwithstanding the aforementioned, Efecte shall not be liable for any indirect, incidental, consequential, punitive or special losses or damages, or the loss, alteration, destruction or corruption of data, or costs resulting from recreation of data.

9 Auditing

9.1 The Parties agree that when the Customer requests for an audit an independent auditor approved in writing by Efecte may audit Efecte's compliance with obligations set out in this DPA in order for Customer to ensure that Efecte has fulfilled the obligations set out in this DPA. The Customer has the right to request an audit prescribed in this section once in every twelve (12) months.

9.2 The Customer shall bear the costs and expenses incurred by Efecte, the Customer and the third party in connection with the audit.

9.3 Efecte shall assist the Customer and the third party in conducting the audit with reasonable measures.

9.4 If the audit reveals shortcomings, Efecte shall correct such shortcomings without delay or at the latest within thirty (30) days of a written notice from the Customer, unless the Parties agree otherwise. Any material shortcomings that pose an obvious threat to data security shall be rectified without delay.

10 Term and termination

10.1 The DPA shall continue in force during the term of the Agreement. In the event of termination of the Agreement, all Efecte shall, at the choice of the Customer, delete or return all applicable Personal Data to the Customer and delete existing copies unless Data Protection Regulation or other applicable laws require storage of the personal data.

10.2 If not instructed otherwise in writing by the Customer, Efecte shall have the right to delete and destroy the Personal Data processed hereunder within three (3) months' of the termination of the Agreement. In case the Customer demands that the Personal Data is returned to the Customer or to a third party, the Customer shall pay Efecte for reasonable costs and expenses arising out such return of the Personal Data.

Data processing addendum

1 Definitions

2 Purpose, scope and nature

3 Customer's general responsibilities

4 Efecte's general responsibilities

5 Data security

6 Subcontractors

Company name

Business ID

Scope of processing

Country

Address

7 Transfers of personal data

8 Liability

9 Auditing

10 Term and termination

11 Structure of the agreement